Инструкции По Установке для 3com S7906E
2-4
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
# Verify the configuration.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, named -none-, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0
Configuring an Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on source IP address, destination IP address, protocol
carried on IP, and other protocol header fields, such as the TCP/UDP source port, TCP/UDP destination
port, ICMP message type, and ICMP message code.
In addition, advanced IPv4 ACLs allow you to filter packets based on three priority criteria: type of
service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv4 ACLs, they
allow of more flexible and accurate filtering.
Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command first.
Configuration Procedure
Follow these steps to configure an advanced IPv4 ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create and enter
advanced IPv4 ACL view
advanced IPv4 ACL view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
acl-name ] [ match-order { auto |
config } ]
Required
The default match order is
config.
config.
If you specify a name for an
IPv4 ACL when creating the
ACL, you can use the acl
name acl-name command to
enter the view of the ACL later.
IPv4 ACL when creating the
ACL, you can use the acl
name acl-name command to
enter the view of the ACL later.
Create or modify a rule
rule [ rule-id ] { deny | permit }
protocol [ { established | { ack
ack-value | fin fin-value | psh
psh-value | rst rst-value | syn
syn-value | urg urg-value } * } |
destination { dest-addr dest-wildcard
| any } | destination-port operator
port1 [ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type icmp-code |
icmp-message } | logging
protocol [ { established | { ack
ack-value | fin fin-value | psh
psh-value | rst rst-value | syn
syn-value | urg urg-value } * } |
destination { dest-addr dest-wildcard
| any } | destination-port operator
port1 [ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type icmp-code |
icmp-message } | logging
|
precedence precedence | reflective |
source { sour-addr sour-wildcard |
any } | source-port operator port1
[ port2 ] | time-range
time-range-name | tos
source { sour-addr sour-wildcard |
any } | source-port operator port1
[ port2 ] | time-range
time-range-name | tos
tos |
vpn-instance vpn-instance-name ] *
Required
To create multiple rules, repeat
this step.
this step.
Note that if the ACL is to be
referenced by a QoS policy for
traffic classification, the
logging , reflective and
vpn-instance keywords are
not supported and the operator
argument cannot be:
referenced by a QoS policy for
traffic classification, the
logging , reflective and
vpn-instance keywords are
not supported and the operator
argument cannot be:
z
neq, if the policy is for the
inbound traffic,
inbound traffic,
z
gt, lt, neq or range, if the
policy is for the outbound
traffic.
policy is for the outbound
traffic.